CVE-2025-4522

Name of the Vulnerable Software and Affected Versions IDonate – Blood Donation, Request And Donor Management System plugin for WordPress versions 2.0.0 through 2.1.9

Description The IDonate plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. Attackers with Subscriber-level access or higher can delete arbitrary user accounts, including administrator accounts, by manipulating the user id parameter passed to the wp delete user() function through the admin post donor delete() function.

Recommendations Versions 2.0.0 through 2.1.9 are vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.